borg [common options] key change-location [options] KEY_LOCATION
positional arguments |
||
|
select key location |
|
options |
||
|
keep the key also at the current location (default: remove it) |
|
Change the location of a Borg key. The key can be stored at different locations:
keyfile: locally, usually in the home directory
repokey: inside the repository
Please note:
This command does NOT change the crypto algorithms, just the key location, thus you must ONLY give the key location (keyfile or repokey).
borg [common options] key change-passphrase [options]
The key files used for repository encryption are optionally passphrase protected. This command can be used to change this passphrase.
Please note that this command only changes the passphrase, but not any secret protected by it (like e.g. encryption/MAC keys or chunker seed). Thus, changing the passphrase after passphrase and borg key got compromised does not protect future (nor past) backups to the same repository.
# Create a key file protected repository
$ borg repo-create --encryption=aes-ocb --key-location=keyfile -v
Initializing repository at "/path/to/repo"
Enter new passphrase:
Enter same passphrase again:
Remember your passphrase. Your data will be inaccessible without it.
Key in "/root/.config/borg/keys/mnt_backup" created.
Keep this key safe. Your data will be inaccessible without it.
Synchronizing index...
Archives: 0, w/ index: 0, w/ outdated index: 0, w/o index: 0.
Done.
# Change key file passphrase
$ borg key change-passphrase -v
Enter passphrase for key /root/.config/borg/keys/mnt_backup:
Enter new passphrase:
Enter same passphrase again:
Remember your passphrase. Your data will be inaccessible without it.
Key updated
Note
The key file paths shown above are the defaults for Linux (~/.config/borg/keys/).
On macOS, key files are stored in ~/Library/Application Support/borg/keys/.
On Windows, they are stored in C:\Users\<user>\AppData\Roaming\borg\keys\.
See Environment Variables for details.
# Import a previously-exported key into the specified
# key file (creating or overwriting the output key)
# (keyfile repositories only)
$ BORG_KEY_FILE=/path/to/output-key borg key import /path/to/exported
Fully automated using environment variables:
$ BORG_NEW_PASSPHRASE=old borg repo-create --encryption=aes-ocb
# now "old" is the current passphrase.
$ BORG_PASSPHRASE=old BORG_NEW_PASSPHRASE=new borg key change-passphrase
# now "new" is the current passphrase.
borg [common options] key export [options] [PATH]
positional arguments |
||
|
where to store the backup |
|
options |
||
|
export the borg key with this label |
|
|
export the borg key with this id (or unique id prefix) |
|
|
Create an export suitable for printing and later type-in |
|
|
Create an HTML file suitable for printing and later type-in or QR scan |
|
This command backs up the borg key.
If repository encryption is used, the repository is inaccessible without the borg key (and the passphrase that protects the borg key). If a repository is not encrypted, but authenticated, the borg key is still needed to access the repository normally.
For repositories using keyfile encryption the key is kept locally on the system that is capable of doing backups. To guard against loss or corruption of this key, the key needs to be backed up independently of the main data backup.
For repositories using repokey encryption or authenticated mode the key is kept in the repository. A backup is thus not strictly needed, but guards against the repository becoming inaccessible if the key is corrupted or lost.
Note that the backup produced does not include the passphrase itself (i.e. the exported key stays encrypted). In order to regain access to a repository, one needs both the exported key and the original passphrase. Keep the exported key and the passphrase at safe places.
A repository may have more than one borg key (each protected by its own
passphrase, see borg key add). Select which borg key to export with
--label or --key (its key id or a unique prefix, see
borg key list). If the repository has only a single borg key, no
selector is required.
There are three backup formats. The normal backup format is suitable for
digital storage as a file. The --paper backup format is optimized
for printing and typing in while importing, with per line checks to
reduce problems with manual input. The --qr-html creates a printable
HTML template with a QR code and a copy of the --paper-formatted key.
borg key export > encrypted-key-backup
borg key export --paper > encrypted-key-backup.txt
borg key export --qr-html > encrypted-key-backup.html
# Or pass the output file as an argument instead of redirecting stdout:
borg key export encrypted-key-backup
borg key export --paper encrypted-key-backup.txt
borg key export --qr-html encrypted-key-backup.html
borg [common options] key import [options] [PATH]
positional arguments |
||
|
path to the backup (‘-’ to read from stdin) |
|
options |
||
|
interactively import from a backup done with |
|
|
where to store the imported key: ‘repokey’ (in the repository, default) or ‘keyfile’ (in the local keys directory) |
|
This command restores a key previously backed up with the export command.
If the --paper option is given, the import will be an interactive
process in which each line is checked for plausibility before
proceeding to the next line. For this format PATH must not be given.
For repositories using keyfile encryption, the key file which borg key
import writes to depends on several factors. If the BORG_KEY_FILE
environment variable is set and non-empty, borg key import creates
or overwrites that file named by $BORG_KEY_FILE. Otherwise, borg
key import searches in the $BORG_KEYS_DIR directory for a key file
associated with the repository. If a key file is found in
$BORG_KEYS_DIR, borg key import overwrites it; otherwise, borg
key import creates a new key file in $BORG_KEYS_DIR.
borg [common options] key add [options]
options |
||
|
label for the new borg key (must be unique) |
|
A repository can be protected by more than one borg key. Each borg key contains the same secret key material, but is protected by an independent (potentially different) passphrase, and any of them can be used to unlock the same repository. This is useful e.g. to give individual users their own passphrase while keeping a separate admin/recovery passphrase.
This command adds an additional borg key. It does not re-encrypt any repository data
and does not change the existing borg keys. The new passphrase is read from
BORG_NEW_PASSPHRASE or queried interactively.
Each borg key has a label. The first borg key, created at repository creation time, has
the reserved label admin and is protected from deletion. Additionally added borg
keys require a unique, user-defined --label.
borg [common options] key list [options]
List the borg keys of the repository, showing each borg key’s id, mode (repokey or
keyfile), label and key derivation/encryption algorithm. The borg key used to
unlock the repository in this invocation is marked with *.
borg [common options] key remove [options]
options |
||
|
remove the borg key with this label |
|
|
remove the borg key with this id (or unique id prefix) |
|
|
remove the borg key that was used to unlock the repository |
|
Remove a borg key from the repository.
The borg key to remove is selected by exactly one of: --label (its label),
--key (its key id or a unique prefix, see borg key list), or
--passphrase (remove the borg key that was used to unlock the repository now).
The admin borg key is protected and cannot be removed, and the last remaining
borg key of a repository cannot be removed either.